Transcript Update on eduroam.jp

eduroam JP
and
development of UPKI roaming
APAN24, Xi’an, 28 Aug. 2007
Yoshikazu Watanabe*, Satoru Yamano*
Hideaki Goto**, Hideaki Sone**
* NEC Corporation, Japan
** Tohoku University, Japan
Contents
•
•
•
•
UPKI project and network roaming
eduroam in Japan
Problems and solutions
Access control of roaming users regarding
local resources
• Summary
2
UPKI project and network roaming
• UPKI: University PKI (also referred to as: InterUniversity Authentication and Authorization Platform)
– Campus Ubiquitous Network (Tohoku Univ.)
• R&D of authentication/policy-based
network control mechanism
– Introduction of eduroam to Japan
– R&D of UPKI roaming system
• Collaborative research by Tohoku Univ. and
NEC
3
2007
2006
eduroam in Japan
Aug. 31, Tohoku University connected to
Asia-Pacific eduroam
Sep. 28, eduroam JP website opened
Dec., Connected to Asia-Pacific
eduroam secondary server in Hong
Kong
Dec., Four organizations federated
High Energy Accelerator Research Organization (KEK),
National Institute of Informatics (NII),
Hokkaido Univ., and Kyoto Univ.
June, Kyushu University federated
Eduroam HP : http://www.eduroam.jp/
4
eduroam JP network
Australia
Europe
Hokkaido
Univ.
Hong Kong
AP
Primary
AP
Secondary
JP
Primary
JP
Secondary
Tohoku
Univ.
KEK
The first eduroam AP
in Japan
NII
Kyoto
Univ.
Kyushu
Univ.
5
Circumstance in Japan
• Scale
– Lots of universities and colleges
(87 national, 76 public, 571 private,
and colleges; 1,200+ total as of Apr. 2006)
– Large universities
(some have 30,000+ people)
• Operational policy
– Guest use of IP addresses owned by a visited
institution for the Internet access is not
acceptable (≒ illegal) in many cases.
– Each institution has different network
administration policies.
6
Problem about scale
• Problem
– Lots of universities and colleges
→ Configuring radius proxies is so hard
• Solution
– Utilizing realms regular expression patch for
FreeRADIUS
• A patch that enables to configure proxying with regular
expressions
• Adopted to recent ver. of FreeRADIUS
– RadSec is also expected to solve this problem, and
further to enhance the flexibility of configuration.
7
Problem about operational policy
•
Problem
1. Guest use of IP addresses in a visited institution is
not acceptable.
•
•
•
Responsible bodies become unclear.
Visited institutions are often involved to resolve troubles.
(e.g. cracking, illegal access)
Cause a violation of subscription conditions of
IP address-based licensing (e.g. online journals).
VPN-only policy (for the Internet access)
2. Each institution has different network administration
policies.
→ Visited institutions need a way to authorize roaming guests’
accesses to local resources.
Exchange of user class information and
8
access control for local resources
Proposed solutions
(Campus Ubiquitous Network)
Home
institution
Clien
supplicant
t
S/W
AP
FW
1. VPN-only policy
Roaming users must use a
After authentication
home
VPN server toataccess
AP, a user access
the Internet.
VPN server and go
(Aoutside.
direct access
to the Internet
(Use a home
from
the visited institution
IP address)
network is prohibited.)
FW
FW
VPN RADIUS
The
Internet
Clien
supplicant
t
S/W
Visited
institution
AP
FW
FW
RADIUS (VPN)
Exchange of user class information and
Our recent 2.Exchange
of authorization
access control
for localinformation
resources
main theme and access control
Local
Resources
Extension to eduroam authentication
FW
Local
Resources
9
Exchange of user class information
and access control for local resources
• Basic idea
– Extend eduroam authentication procedure
– A home radius server attaches user class information
to a radius access-accept packet.
– A radius server in a visited institution authorizes user
accesses to local resources according to the received
user class and local policies.
→ Realize access control for local resources
• Prototype implementation is done
10
User class
• Classification of users by common criteria
in eduroam federation
• Each institution assigns user class to each
user of the institution in advance.
11
Example of access control for
local resources by user class
Clien
t
user
class
Visited
institution
12 34
FW
AP
FW
local service
(e.g. printer)
FW
The
Internet
campus
network
Users (class 1) cannot access local resources
Users (class 2) can access only local network
Users (class 3) can access campus network, but
cannot access the internet directrly
12
Users (class 4) can access the Internet directly
Procedure : Access-Request
Home
Institution
Clien
supplicant
t
S/W
Clien
supplicant
t
S/W
Visited
Institution
Start 802.1x
authentication
AP
AP
Send a radius
access-request
FW
FW
FW
Local
Resources
RADIUS
Authenticate and
authorize the user
The
Internet
FW
RADIUS
A normal radius access
request packet as usual
in eduroam
Local
Resources
Use eduroam to
authenticate the
user
13
Procedure : Access-Accept
Home
Institution
Clien
supplicant
t
S/W
Clien
supplicant
t
S/W
Authorize accesses
to local resources
using the user class
and local policies
AP
FW
FW
Local
Resources
RADIUS
Retrieve the user
class for the user, and
send a radius access
accept packet
The
Internet
Visited
Institution
AP
FW
FW
RADIUS
Local
Resources
A radius access accept
packet with the user
class information
14
Procedure : Access-Accept (cont.)
Home
Institution
Clien
supplicant
t
S/W
Clien
supplicant
t
S/W
Visited
Institution
802.1x authentication succeeds
AP
FW
Local
Resources
Send an access-accept packet without
information of authorized resources
Set filtering rules according to the
Theinformation
FW received
FW
Internet
RADIUS
RADIUS
AP
FW
Local
Resources
Send a radius access-accept packet with
information of authorized local resources
15
Procedure : access to local resources
Home
Institution
Clien
supplicant
t
S/W
Clien
supplicant
t
S/W
Visited
Institution
Access to local
resources
AP
AP
FW
FW
FW
Local
Resources
RADIUS
The
Internet
FW
Local
Filter traffic to local resources
RADIUS
(block un-authorized
accesses) Resources
16
Issues to be examined
• The definition of the “user class” in
eduroam
– Representation, granularity, and so on
• How to realize and control the
communication between roaming users
and local resources
• Et cetera
17
Summary
• 6 institutions are participating in eduroam
JP.
• Issues regarding roaming are revealed
through the deployment of eduroam JP.
• Examining access control of roaming
users regarding local resources
18
Thank you for your kind attention.
19
References
20
The problem about traceability
Home
Institution
visito
r
Guest users using host’s
IP addresses are
recognized as members
of the institution.
A visitor cannot access the
user’s home resources
Visited
Institution
Host IP address
The
Internet
illegal access
What if a visitor with
IP address of visited
institution did some
attacks to servers
outside ???
21
Traceability : case study 1
University B is subscribing to an electronic journal X,
while another university A is not.
A student at univ-A goes to univ-B so he/she can
download journal X using the WLAN roaming. Since the
student downloaded too many articles at once, the
publisher thought it was a violation of the subscription
condition and sent a complaint to univ-B.
In univ-B, NW manager has to analyze the roaming logs, and contact
univ-A to search for the user.
User tracking and communications between universities are laborious.
Even between departments in a university, such a user tracking is very
difficult. It is also much more difficult between countries.
22
Traceability : case study 2
Some resources such as local web servers in univ-B are
protected by an address-based access restriction.
When people in univ-A visited univ-B, they could gain
access to the resources using the WLAN roaming system.
Even if the administrators of the web servers examine
the access logs, the outsiders’ accesses cannot be
noticed because the “local” IP addresses are used.
23
Possible solution for roaming issues
Dedicated network
• Dedicated network might be useful for
solving the responsibility problems.
– User tracking remains difficult.
• WLAN users cannot use local resources.
– can be either merit or demerit
Home university
Visited university
dedicated
network
Publisher
campus LAN
Internet
24
VPN only solution
Permitted protocols for roaming users
• VPN
–
–
–
–
–
–
PPTP (GRE(47)，(TCP/1723))
OpenVPN (UDP/1194)
SSH (TCP/22)
IPsec NAT-traversal (UDP/4500)
Cisco IPsec (TCP/10000)
L2TP (UDP/1701)
• Others
–
–
–
–
–
–
pop3 (TCP/110)
pop3s (TCP/995)
imap4 (TCP/143)
imaps (TCP/993)
ssmtp (TCP/465)
msa (TCP/587)
25